Practical Covert Authentication

23
Practical Covert Authentication Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014

description

Practical Covert Authentication. Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014. Presentation Plan. Introduction to Covert Computation Practical Covert Authentication Protocol O(1) rounds, group elements, exponentiations… - PowerPoint PPT Presentation

Transcript of Practical Covert Authentication

Page 1: Practical Covert Authentication

Practical Covert Authentication

Stanislaw Jarecki

University of California at Irvine

Public Key Cryptography 2014

Page 2: Practical Covert Authentication

Presentation Plan

1. Introduction to Covert Computation

2. Practical Covert Authentication Protocol O(1) rounds, group elements, exponentiations…

3. Main Tool: Compiler for Covert Conditional OT’s ZKPK+ (Σ-protocol) for language L Covert Conditional OT for L

4. Extensions / Open Problems

Page 3: Practical Covert Authentication

Background: Secure Computation

Secure Computation hides all except for what’s revealed by output

AF(x,y) F

xA

A π for F B(y)

~

(eff.) adversary A (eff.) simulator à s.t. inputs y

A’s interaction with à F(y) ≈ A π(y)

~yB

Page 4: Practical Covert Authentication

Voting protocol attempt reveals a potential voter Petition signing attempt reveals a potential signer … Authentication attempt reveals a member of some

organization which uses the authentication protocol, no matter how credential/policy/attribute-hiding that protocol is!

AF(x,y)

x yBπ for

F

Secure computation hides everything it can about B’s input… But not the fact that B engages in computation of F,

which is an information in itself!

Background: Secure Computation

Page 5: Practical Covert Authentication

Covert Computation Can we hide the fact that computation is taking place?

Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F

A

Q: How can we hide that B follows protocol π ?A: Make π’s messages indistinguishable from $ bits

B/?π for

F

Page 6: Practical Covert Authentication

Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F

A

Q: How can we hide that B follows protocol π ?A: Make π’s messages indistinguishable from $ bits

Q: How can we hide that B follows some protocol ?A: Run π over a steganographic channel (= always sends $ bits) Network control messages, padding, timing Pictures, music, voice, … Encryption (e.g. VPN router), other crypto (e.g. “kleptography”)

B/$

Covert Computation Can we hide the fact that computation is taking place?

π for

F

Page 7: Practical Covert Authentication

Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F

AF(x,y)

x

Q: But doesn’t A’s output z=F(x,y) reveal that B inputs some y?

A: Yes, but F outputs can look $ for many (x,y)’s Authenticated Key Exchange Any authenticated computation…

π for

FB/$

y/?

Covert Computation Can we hide the fact that computation is taking place?

Page 8: Practical Covert Authentication

A Bx yD

Distinguishability of F from $ beacon in the ideal world:

F/$

~ ~ Aπ/$

B(y) yD

CovDist F,D,Ã = | Pr[1Ã F(y) | yD] - Pr[1Ã $(F)] |

CovDist π,D,A = | Pr[1A π(y) | yD] - Pr[1A $(π)] |

π covert if A Ã s.t. (1) [standard secure computation requirements] (2) dist. D CovDist F,D,Ã ≈ CovDist π,D,A

Distinguishability of π from $ beacon in the real world:

Covert Computation Covert π = as “random” as the ideal F [vAHL05] (refined in [CGOS07])

Page 9: Practical Covert Authentication

Covert Computation What is currently known?

A Bx yD

[vAHL05]: Defined covert 2PC, O(sec.par.)-round protocol for any F[CGOS07]: Defined covert MPC, O(sec.par.)-round protocol for any F[GJ10]: Ω(sec.par.) rounds necessary for covert 2/MPC in plain model

F/$

~ ~ Aπ/$

B(y) yD

Can 2PC/MPC be covert in O(1) rounds in CRS model? Probably (see the last slide)

How about a covert authentication (not necessarily a covert 2PC)? This work: 5 rounds (3 in ROM), ≈30 RSA exp.’s/party

Page 10: Practical Covert Authentication

Covert AuthenticationDefinition

KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]

A B(PK,CertA)

If A has no valid (& unrevoked) cert then FAuth ≈ $[FAuth]Covertness w/o valid (& unrevoked) cert πAuth ≈ $[πAuth]

FAuth

If Ver(PK,CertA) and Ver(PK,CertB) then KA = KB ( $)

o/w KA KB ( $ $)

(PK,CertB)

KA KB

[ + handling of CRL’s ]

Our work: Game-based definition, no extraction of PK (public input)

& KB

Page 11: Practical Covert Authentication

Covert AuthenticationProtocol Idea: (1) Use a “typical” Group Signature Sch.

A BCA = COM(CertA)

Revocation e.g. by ZKP that certificate in C is not on the CRL Our work uses “verifier-local” revocation (w/o ZKP) [BS’04]

(PK,CertB)(PK,CertA)

ZKP[ (PK,CA) LComCert ]

CB = COM(CertB)

ZKP[ (PK,CB) LComCert ]

LComCert = { x=(PK,C) s.t. w=(cert,dec) s.t. Ver(PK,cert)=1 and Decommit(C,cert,dec)=1 }

KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]

Page 12: Practical Covert Authentication

Covert AuthenticationProtocol Idea: (1) Use a “typical” Group Signature Sch.

A BCA = COM(CertA) (PK,CertB)(PK,CertA)

ZKP[ (PK,CA) LComCert ]

KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]

P FZKP for L

If w witness for x in Lthen b 1, o/w b 0

V

b

ZKP (for non-trivial L) makes a protocol inherently non-covert !

witness w statement x= (cert,dec) = (PK,C)

Page 13: Practical Covert Authentication

Covert AuthenticationProtocol Idea: (2) Replace ZKP by Covert COT for LGrSig

A BCA = COM(CertA) (PK,CertB)(PK,CertA)

COT[ (PK,CA) LComCert ]

KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]

FCOT for L

If w witness for x in Lthen KR=KS, o/w KR KSKR KS

R witness w= (cert,dec) Sstatement x

= (PK,C)

& KS

Covertness: (1) In R’s view πCOT ≈ $[πCOT] if R has no valid w for S’s x (2) In S’s view πCOT ≈ $[πCOT] for all x

Covert Conditional Oblivious Transfer (COT) for L (KEM version)

Strong-soundness: Efficient extraction of w from covertness-breaking R

Page 14: Practical Covert Authentication

Covert AuthenticationProtocol Idea: (2) Replace ZKP by Covert COT for LGrSig

A BCA = COM(CertA) (PK,CertB)(PK,CertA)

COT[ (PK,CA) LComCert ]

KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]

FCOT for L

If w witness for x in Lthen KR=KS, o/w KR KSKR KS

R witness w= (cert,dec) Sstatement x

= (PK,C)

& KS

EncryptionConditional OT (COT)Strongly-Sound COT

SignatureZK Proof

ZK Proof of Knowledge

Covert Conditional Oblivious Transfer (COT) for L (KEM version)

Page 15: Practical Covert Authentication

Covert AuthenticationFull Protocol

A BCA = COM(CertA) (PK,CertB)(PK,CertA)

COT[ (PK,CA) LComCert ]

KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]

KAR KB

S

CB = COM(CertB)

COT[ (PK,CB) LComCert ]KAS KB

R

KB = KBS KB

R

Covertness (assume A has no valid Cert):(1) A’s view of first COT together with KB

S is ≈ $[πCOTS]

(2) A’s view of CB and of second COT is ≈ $[πCOTR]

A’s view of the whole interaction together with KB is ≈ $

KA = KAR KA

S

& KBS

Page 16: Practical Covert Authentication

Covert AuthenticationFull Protocol

A BCA = COM(CertA) (PK,CertB)(PK,CertA)

COT[ (PK,CA) LComCert ]

KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]

KAR KB

S

CB = COM(CertB)

COT[ (PK,CB) LComCert ]KAS KB

R

Covertness (assume A has no valid Cert):(1) A’s view of first COT together with KB

S is ≈ $[πCOTS]

(2) A’s view of CB and of second COT is ≈ $[πCOTR]

A’s view of the whole interaction together with KB is ≈ $

COT needs to assure extraction of witness w from covertness-breaking Receiver

If Adv who breaks covertness of Authentication Protocol then Reduction extracts a valid certificate (forgery)

Page 17: Practical Covert Authentication

& KSKR KS

witness w Sstatement x

Assume L = { x=([gij]) s.t. exits w=[wj] s.t.

g1 = (g11)w1 (g12)w2 … (g1n)wn

gm = (gm1)w1 (gm2)w2 … (g1n)wn }

Smooth Projective Hash Function (SPHF) Covert COTbut no extraction of witness w from covertness-breaking R

[ + additive and multiplicative relations between aj’s ]

Constructing Covert COT for LComCert

FCOT for L

If w witness for x in Lthen KR=KS, o/w KR KS

R

Page 18: Practical Covert Authentication

R

Compiler from ZKPK+ for LComCert to Covert COT

KR KS

witness w Sstatement xFCOT for L

If w witness for x in Lthen KR=KS, o/w KS KR

a = gr

L = { x s.t. w s.t. x = gw }

e $

z = r + e w

(HV)ZKPK for L

C=COM( )

SPHF[ C=COM(F(x,e,z)) ] If COM = ElGamal PKE thenSPHF for DDH tuple [CS’98]

(+ 2/3 exp’s / party)KSKR

covert COT for LSIM for this ZKPK+:

z $ , e $

a = F(x,e,z) = gz / xe

Page 19: Practical Covert Authentication

R

Compiler from ZKPK+ for LComCert to Covert COT

KR KS

witness w Sstatement xFCOT for L

If w witness for x in Lthen KR=KS, o/w KS KR

L = { x s.t. w s.t. x = gw }

SIM for this ZKPK+:z $ , e $

a = F(x,e,z) = gz / xe

Covertness from malicious S:• covert COM [ElGamal]• z $ (by ZKPK+)• SPHF non-interactive

a = gr

e $

z = r + e w

(HV)ZKPK for L

C=COM( )

SPHF[ C=COM(F(x,e,z)) ]

KSKR

covert COT for L

Page 20: Practical Covert Authentication

R

Compiler from ZKPK+ for LComCert to Covert COT

KR KS

witness w Sstatement xFCOT for L

If w witness for x in Lthen KR=KS, o/w KS KR

L = { x s.t. w s.t. x = gw }

SIM for this ZKPK+:z $ , e $

a = F(x,e,z) = gz / xe

Covertness from malicious R:(case1) C COM(F(x,e,z)) then KS R’s view of SPHF

a = gr

e $

z = r + e w

(HV)ZKPK for L

C=COM( )

SPHF[ C=COM(F(x,e,z)) ]

KSKR

covert COT for L

Page 21: Practical Covert Authentication

R

Compiler from ZKPK+ for LComCert to Covert COT

KR KS

witness w Sstatement xFCOT for L

If w witness for x in Lthen KR=KS, o/w KS KR

L = { x s.t. w s.t. x = gw }

SIM for this ZKPK+:z $ , e $

a = F(x,e,z) = gz / xe

Covertness from malicious R:(case2) C = COM(F(x,e,z)) then Forking Lemma w Ext( (e,z) , (e’,z’) )

a = gr

e $

z = r + e w

(HV)ZKPK for L

C=COM( )

SPHF[ C=COM(F(x,e,z)) ]

KSKR

covert COT for L

Page 22: Practical Covert Authentication

Extensions / Open Problems

1. Covert 2PC for any F in CRS in O(1) rounds

2. Definitions: Composable Covert MPC ?

3. Shorter Covert Authentication (EC with Bilinear Map)

4. Stronger Covert Authentication: Full-Fledged AKE

5. Other Revocation Models

6. Other Applications of Covertness

(?)

(?)

Page 23: Practical Covert Authentication

Extensions / Open Problems

1. Covert 2PC for any F in CRS in O(1) rounds

2. Shorter Covert Authentication (EC with Bilinear Map)

3. Stronger Covert Authentication: Full-Fledged AKE

4. Other Revocation Models

5. Other Applications of Covertness

… Many Others Topics in Covert Computation to Explore!